Add "no-store" to Cache-Control header to prevent history caching of admin resources
|Reported by:||soulseekah||Owned by:|
The current implementation of wp_get_nocache_headers does not take into account history caching, which results in a browser serving a cached copy of pages from history (by pressing the Back button) even if the user has long logged out.
RFC 2616 14.9.2 no-store describes this cache directive.
To repoduce: login to dashboard, logout, press the back button.
Expected: the login screen.
Reality: a copy of the previous page.
By adding the "no-store" directive to all non-cachable resources the behavior was mitigated successfully in Chrome 21, Firefox 15. Fails on Opera 12 (they chose to disregard "no-store" when applied to history, RFC allows this).
Change History (10)
- Cc info@… added